[jboss-jira] [JBoss JIRA] (WFLY-5740) ContextPolicy checks purely based on names, ignores Principal types

Arjan t (JIRA) issues at jboss.org
Thu Nov 26 11:28:00 EST 2015 

Arjan t created WFLY-5740:
-----------------------------

             Summary: ContextPolicy checks purely based on names, ignores Principal types
                 Key: WFLY-5740
                 URL: https://issues.jboss.org/browse/WFLY-5740
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.0.0.CR4
            Reporter: Arjan t
            Assignee: Darran Lofthouse


In {{org.jboss.security.jacc.ContextPolicy}} the {{implies}} method only looks at the names of each {{Principal}} from the passed in {{ProtectionDomain}}, without checking if they're actually a role.

The collection of these names is then used to check against role based permissions.

If a user now has a name "expert" and there's also a role called "expert", access will be granted purely based on the user (caller) name. This is of course not correct.

See the following code:

{code:java}
// Check principal to role permissions
Principal[] principals = domain.getPrincipals();
int length = principals != null ? principals.length : 0;
ArrayList<String> principalNames = new ArrayList<String>();

for (int n = 0; n < length; n ++) {
   Principal p = principals[n];
   if( p instanceof Group ) {
      Group g = (Group) p;
      Enumeration<? extends Principal> iter = g.members();
      while(iter.hasMoreElements()) {
         p = iter.nextElement();
         // *** ONLY NAME IS USED. TYPE IS IGNORED
         String name = p.getName();
         principalNames.add(name);
      }
   }
   else {
      String name = p.getName();
      // *** ONLY NAME IS USED. TYPE IS IGNORED
      principalNames.add(name);
   }
}

principalNames.add(ANY_AUTHENTICATED_USER_ROLE);

for (int n = 0; implied == false && n < principalNames.size(); n ++) {
   String name = principalNames.get(n);
   // *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE
   Permissions perms = rolePermissions.get(name);
   if( perms == null )
      continue;
   implied = perms.implies(permission);
}
{code}





--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list